Fix yy_limit computation after encoding switch

The three assignments above this line are still broken - they assume
that byte offsets in one encoding directly map to byte offsets in
another encoding.

I'm fixing the length here because it is the one causing out-of-bounds
reads and is easy to fix. For the others we'd have to actually compute
new offsets.

diff --git a/Zend/zend_language_scanner.c b/Zend/zend_language_scanner.c
index e524e0b68431c6c2375431eb5f434ce4ca208adf..5bd2798cde83b84b6f6370ca99b815adb977bde6 100644 (file)
--- a/Zend/zend_language_scanner.c
+++ b/Zend/zend_language_scanner.c
@@ -845,7 +845,7 @@ ZEND_API void zend_multibyte_yyinput_again(zend_encoding_filter old_input_filter
        SCNG(yy_cursor) = new_yy_start + (SCNG(yy_cursor) - SCNG(yy_start));
        SCNG(yy_marker) = new_yy_start + (SCNG(yy_marker) - SCNG(yy_start));
        SCNG(yy_text) = new_yy_start + (SCNG(yy_text) - SCNG(yy_start));
-       SCNG(yy_limit) = new_yy_start + (SCNG(yy_limit) - SCNG(yy_start));
+       SCNG(yy_limit) = new_yy_start + length;
 
        SCNG(yy_start) = new_yy_start;
 }

diff --git a/Zend/zend_language_scanner.l b/Zend/zend_language_scanner.l
index 146e3548527b3d72d43f59f811e711daee578b2d..bcc341e8a16867a7b4cd02f5d58a9cb2a8e37779 100644 (file)
--- a/Zend/zend_language_scanner.l
+++ b/Zend/zend_language_scanner.l
@@ -843,7 +843,7 @@ ZEND_API void zend_multibyte_yyinput_again(zend_encoding_filter old_input_filter
        SCNG(yy_cursor) = new_yy_start + (SCNG(yy_cursor) - SCNG(yy_start));
        SCNG(yy_marker) = new_yy_start + (SCNG(yy_marker) - SCNG(yy_start));
        SCNG(yy_text) = new_yy_start + (SCNG(yy_text) - SCNG(yy_start));
-       SCNG(yy_limit) = new_yy_start + (SCNG(yy_limit) - SCNG(yy_start));
+       SCNG(yy_limit) = new_yy_start + length;
 
        SCNG(yy_start) = new_yy_start;
 }

diff --git a/ext/mbstring/tests/zend_multibyte-07.phpt b/ext/mbstring/tests/zend_multibyte-07.phpt
index 50d4cd95ed3b9e9bdb308cb4d7f39d7f6c75f45e..685c6f1f04a82f524d3bc6e25235587ea3412797 100644 (file)
--- a/ext/mbstring/tests/zend_multibyte-07.phpt
+++ b/ext/mbstring/tests/zend_multibyte-07.phpt
@@ -1,8 +1,5 @@
 --TEST--
 zend multibyte (7)
---SKIPIF--
---XFAIL--
-https://bugs.php.net/bug.php?id=66582
 --INI--
 error_reporting=E_ALL & ~E_DEPRECATED
 zend.multibyte=On

diff --git a/ext/mbstring/tests/zend_multibyte-09.phpt b/ext/mbstring/tests/zend_multibyte-09.phpt
index 7b0015c6c120a8024dca1c6042923dc38d9e5326..f9b8bf734f7d95c87ba39aa5f689e175f8715f85 100644 (file)
--- a/ext/mbstring/tests/zend_multibyte-09.phpt
+++ b/ext/mbstring/tests/zend_multibyte-09.phpt
@@ -1,8 +1,5 @@
 --TEST--
 zend multibyte (9)
---SKIPIF--
---XFAIL--
-https://bugs.php.net/bug.php?id=66582
 --INI--
 error_reporting=E_ALL & ~E_DEPRECATED
 zend.multibyte=On